Jump to content

Think Your Skype Messages Get End-To-End Encryption? Think Again

supashot

By supashot
in IT and Computers

 Share

Recommended Posts

supashot Senior Member

supashot

Posted
Posted
If you think the private messages you send over Skype are protected by end-to-end encryption, think again. The Microsoft-owned service regularly scans message contents for signs of fraud, and company managers may log the results indefinitely, Ars has confirmed. And this can only happen if Microsoft can convert the messages into human-readable form at will.


With the help of independent privacy and security researcher Ashkan Soltani, Ars used Skype to send four Web links that were created solely for purposes of this article. Two of them were never clicked on, but the other two—one beginning in HTTP link and the other HTTPS—were accessed by a machine at 65.52.100.214, an IP address belonging to Microsoft. For those interested in the technical details : http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/


stay away from skype!
  • Like 1
Dork Gold Member

Dork

Posted
Posted

Good advice. If you're a criminal.

I'm not American so can't say I would particularly like it if US law enforcement had the ability to listen to my calls. But on the other hand, if they do (or even read my emails) I don't really care.

But I would warn them - it's going to be a boring exercise.

simple1 Star Member

simple1

Posted
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

supashot Senior Member

supashot

Posted
  • Author
Posted

Good advice. If you're a criminal.

I'm not American so can't say I would particularly like it if US law enforcement had the ability to listen to my calls. But on the other hand, if they do (or even read my emails) I don't really care.

But I would warn them - it's going to be a boring exercise.

no need to be criminal to deserve privacy. Would you mind if I listen randomly your conversations?

  • Like 1
Dork Gold Member

Dork

Posted
Posted

Good advice. If you're a criminal.

I'm not American so can't say I would particularly like it if US law enforcement had the ability to listen to my calls. But on the other hand, if they do (or even read my emails) I don't really care.

But I would warn them - it's going to be a boring exercise.

no need to be criminal to deserve privacy. Would you mind if I listen randomly your conversations?

That's not really the same thing, is it? That it is technically possible for someone on the other side of the world to listen doesn't mean much to me. I read recently that Skype users make 2 Billion minutes worth of call per day and I'm sure there are more interesting people than me to listen to.

Anyway, I think the article is only referring to instant messaging, not calls.

Riggi Advanced Member

Riggi

Posted
Posted

This isn't too different to phone companies being able to listen to calls and read sms sent over the phone network. Just because they can doesn't mean someone is going to waste their time trawling through your calls and sms.

But, if the police ask them to, the telco can access it and provide it to them.

Or, google and the likes being able to feed you tailored ads based on your email content.

Skype is free. you get what you pay for.

  • Like 1
supashot Senior Member

supashot

Posted
  • Author
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

Wrong not the case of PGP or some other strong and mature crypto solutions. Apple iMessage or IOS encryption is also the case, Fedz and DEA couldn't decrypt and intercept the message or the encrypted devices. http://money.cnn.com/2013/04/07/technology/security/imessage-iphone-dea/index.html

Yes there are various secure, un unterceptable or undecryptable solutions. PGP is one of them or even products like Silent circle ( runs on PC, iPhone, Android). Not only can't be cracked but they don't even store logs. https://silentcircle.com/

Yes there are secure communications for the mass.

supashot Senior Member

supashot

Posted
  • Author
Posted

Good advice. If you're a criminal.

I'm not American so can't say I would particularly like it if US law enforcement had the ability to listen to my calls. But on the other hand, if they do (or even read my emails) I don't really care.

But I would warn them - it's going to be a boring exercise.

no need to be criminal to deserve privacy. Would you mind if I listen randomly your conversations?

That's not really the same thing, is it? That it is technically possible for someone on the other side of the world to listen doesn't mean much to me. I read recently that Skype users make 2 Billion minutes worth of call per day and I'm sure there are more interesting people than me to listen to.

Anyway, I think the article is only referring to instant messaging, not calls.

it's right this referred to sms and messages but Skype encryption was broken already 3 years ago: http://deepquest.code511.com/skype/

supashot Senior Member

supashot

Posted
  • Author
Posted

This isn't too different to phone companies being able to listen to calls and read sms sent over the phone network. Just because they can doesn't mean someone is going to waste their time trawling through your calls and sms.

But, if the police ask them to, the telco can access it and provide it to them.

Or, google and the likes being able to feed you tailored ads based on your email content.

Skype is free. you get what you pay for.

most disturbing stuff in skype is that the interception is random! In the test the link was checked twice while they used a new account not a potential threat at all.

ETatBKK Gold Member

ETatBKK

Posted
Posted

the digital world doesn't make it different than the physical world - all our communications ( whatever in what formats ) could be 'leaked' in some way. I send a postcard home and of course everyone could read it better it arrives home, should I care ? I send a closed letter to someone, and I would expect it arrives un-opened. do you think the envelop really never been opened ?

think twist if there is an end-to-end privacy over any public and commercial service network.

just a piece of mind - should I care ?

BookMan Diamond Member

BookMan

Posted
Posted

80%t of my Skype messages are very boring and I feel sorry for any one intercepting them.

20% of them may contain risque language or explicit language of a sexual nature.

The video chats have been known to follow a similar pattern tongue.png

commande Advanced Member

commande

Posted
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

Wrong not the case of PGP or some other strong and mature crypto solutions. Apple iMessage or IOS encryption is also the case, Fedz and DEA couldn't decrypt and intercept the message or the encrypted devices. http://money.cnn.com/2013/04/07/technology/security/imessage-iphone-dea/index.html

Yes there are various secure, un unterceptable or undecryptable solutions. PGP is one of them or even products like Silent circle ( runs on PC, iPhone, Android). Not only can't be cracked but they don't even store logs. https://silentcircle.com/

Yes there are secure communications for the mass.

Hate to tell you this but PGP (all versions are owned by Symantec whom is a US company) isn't secure from the government eyes especially in the USA. Department of Commerce has full authority over Encryption technology regulations and it's legal use and export, the NSA also works with them hand in hand in regards to encryption technology. Any and all encryption technology used in the USA which is where most has been created to include some of the best in the world is readable by the NSA. Reason why is the law states in the USA, I might add it's pretty much the same for all western countries, is that the decryption keys must be provided to the Dept. of Commerce prior to release, this even goes for free encryption technology, they then pass these keys to the NSA. The NSA also shares these keys with it's allies such as the UK, Australia, etc.

In regards to the DEA, all they needed to do is contact the NSA and decryption done, maybe take a hour at most and 80% of that time would have been request forms. You can be rather assured that most organizations and free lance people out in the wild can't decrypt your messages, NSA forget about it, they have well over a billion dollars worth of computers dedicated to doing this and the brightest minds in the world coming up with new tech and decryption methods. They are years if not a decade ahead of everyone on the planet in regards to this tech.

I know this for a fact, don't ask me why, let's just say been there done that. There are no secrets on the internet, you put it out there and it can be captured and read no matter how good you think you are.

  • Like 1
ITGabs Advanced Member

ITGabs

Posted
Posted

I don't trust in Microsoft, ten years ago they included spyware, Cydoor and Alexa variants in almost every update of IE and Windows media.

Weeks ago, I was checking the security in a old 2003 server in a migration P2V into ESXi and I got an alert for an IP from US connecting to remote desktop, in the netstat I can saw the connection but was hidden from all the microsoft tools.

This was the IP

168.63.237.220

The segment is fully administrated by Microsoft not dynamic

NetRange: 168.61.0.0 - 168.63.255.255
CIDR: 168.62.0.0/15, 168.61.0.0/16
OriginAS:
NetName: MSFT-EP
NetHandle: NET-168-61-0-0-1
Parent: NET-168-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-06-22
Updated: 2012-10-16
Ref: http://whois.arin.net/rest/net/NET-168-61-0-0-1


OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-04-12
Ref: http://whois.arin.net/rest/org/MSFT-Z

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: [email protected]
OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN

looking in google I found hundred of reports of hacking from all that segment

Example in google search:

168.63 remote desktop
https://www.google.com/search?q=168.63+remote+desktop+

Apparently they were looking the license, since In the migration I had the two servers live with the same license, really i hope was that, I know that all the Microsoft product have backdoors or thing stupids like the Dcom service and other failures from an horrible architecture, like in the Hyper-V VM there is a saved games, my pictures folder, etc in the Hypervisor!! the same bad stuff from the system files wherever you can find old rests of win 3.11 95 98 etc like they again and again just smash code, usually that happens only when they don't have any documentation or control version of what file is doing what so the developers just follow the rule "if is working don't touch it"

Some of the test that I did in a paranoid state of security is block all internet, except one IP that I use as Tunnel for everything, it's work great, but I guess that is so extreme. that was the unique way that Skype work without connecting to any other IP on SSH2

I can finish adding that now I hate Skype, since Microsoft take the control they finish the world wide plan, big security problems, low quality, bad customer support, and that horrible chat integration with Msn, Hotmail, Outlook (from the socket/port point of view) I hope some alternative to Skype come soon.

commande Advanced Member

commande

Posted
Posted

I don't trust in Microsoft, ten years ago they included spyware, Cydoor and Alexa variants in almost every update of IE and Windows media.

Weeks ago, I was checking the security in a old 2003 server in a migration P2V into ESXi and I got an alert for an IP from US connecting to remote desktop, in the netstat I can saw the connection but was hidden from all the microsoft tools.

This was the IP

168.63.237.220

The segment is fully administrated by Microsoft not dynamic

NetRange: 168.61.0.0 - 168.63.255.255

CIDR: 168.62.0.0/15, 168.61.0.0/16

OriginAS:

NetName: MSFT-EP

NetHandle: NET-168-61-0-0-1

Parent: NET-168-0-0-0-0

NetType: Direct Assignment

RegDate: 2011-06-22

Updated: 2012-10-16

Ref: http://whois.arin.net/rest/net/NET-168-61-0-0-1

OrgName: Microsoft Corp

OrgId: MSFT-Z

Address: One Microsoft Way

City: Redmond

StateProv: WA

PostalCode: 98052

Country: US

RegDate: 2011-06-22

Updated: 2013-04-12

Ref: http://whois.arin.net/rest/org/MSFT-Z

OrgTechHandle: MSFTP-ARIN

OrgTechName: MSFT-POC

OrgTechPhone: +1-425-882-8080

OrgTechEmail: [email protected]

OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN

OrgAbuseHandle: ABUSE231-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-425-882-8080

OrgAbuseEmail: [email protected]

OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN

OrgNOCHandle: ZM23-ARIN

OrgNOCName: Microsoft Corporation

OrgNOCPhone: +1-425-882-8080

OrgNOCEmail: [email protected]

OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN

OrgAbuseHandle: HOTMA-ARIN

OrgAbuseName: Hotmail Abuse

OrgAbusePhone: +1-425-882-8080

OrgAbuseEmail: [email protected]

OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseHandle: MSNAB-ARIN

OrgAbuseName: MSN ABUSE

OrgAbusePhone: +1-425-882-8080

OrgAbuseEmail: [email protected]

OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN

looking in google I found hundred of reports of hacking from all that segment

Example in google search:

168.63 remote desktop
https://www.google.com/search?q=168.63+remote+desktop+

Apparently they were looking the license, since In the migration I had the two servers live with the same license, really i hope was that, I know that all the Microsoft product have backdoors or thing stupids like the Dcom service and other failures from an horrible architecture, like in the Hyper-V VM there is a saved games, my pictures folder, etc in the Hypervisor!! the same bad stuff from the system files wherever you can find old rests of win 3.11 95 98 etc like they again and again just smash code, usually that happens only when they don't have any documentation or control version of what file is doing what so the developers just follow the rule "if is working don't touch it"

Some of the test that I did in a paranoid state of security is block all internet, except one IP that I use as Tunnel for everything, it's work great, but I guess that is so extreme. that was the unique way that Skype work without connecting to any other IP on SSH2

I can finish adding that now I hate Skype, since Microsoft take the control they finish the world wide plan, big security problems, low quality, bad customer support, and that horrible chat integration with Msn, Hotmail, Outlook (from the socket/port point of view) I hope some alternative to Skype come soon.

Don't worry to much, although Skype isn't great, I think it used to be better any alternative will have just as many backdoors plugged into it. Free software means the developer has the right and you agree when installing to take anything they want from you and use it as they wish, you essentially voluntarily give up your right to privacy.

This is partly how they come to find out what people want and how to change services for the better. Now you want something that works great from MS without any holes, subscribe to MS Lync, yes you pay for it but you block the customer improvement program option and nothing goes in or out with exception of updates which are controlled through the OS.

IOS for MAC does the same thing it's just not talked about as much since it only represents around 3% of the world computer users.

Crushdepth Ruby Member

Crushdepth

Posted
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

Encryption algorithms are not secrets (only keys). The most widely used encryption algorithms are public standards. It is a requirement that knowing how the algorithm works will not allow you to decrypt a communication. Encryption algorithms must be published to allow for peer review and to *let* professional cryptographers try and attack them.

Sane IT vendors only use published encryption algorithms that have withstood years of professional scrutiny and abuse. Unfortunately vendors quite often make mistakes in their implementations and there are quite a few crazies that try to invent their own, but Skype is not one of them (uses the Advanced Encryption Standard 256 bit).

The Arstechnica article shows that some unencrypted data is being passed back to Microsoft, but it may well be that your Skype client is just extracting links for evaluation (still unacceptable as far as I'm concerned, but doesn't necessarily mean they are going through the lot of it).

Sayonarax Gold Member

Sayonarax

Posted
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

And then little green man came flying in on dinosaurs... chanting " U.S.A U.S.A"...

commande Advanced Member

commande

Posted
Posted

if you want encryption, use pidgin, but, as with all things, this only works if the people you work with are using it too.

All IT vendors are required to provide their encription algorithms to government security agencies. Their is no such thing as secure comunications for the general population. Many companies ban non approved encription software in their SOE for obvious reasons and in some companies cause for dismissal.

And then little green man came flying in on dinosaurs... chanting " U.S.A U.S.A"...

I think they are singing UK, UK, UK and Australia, Australia, Australia, etc etc etc LOL - -- - I love how people always blame everything on the USA but yet in a lot of cases want everything they have.... Just they just want in on their terms.... Sort of like giving cars to countries that don't even have basic education and expect them to drive them safely :).... Nope, doesn't work, just take a look around...

nikster Diamond Member

nikster

Posted
Posted

Well all US corporations are pressured into releasing their data to law enforcement.

I would not have an issue with that per se - if they followed US law and procedure.

What I have an issue with is that they don't. Particularly since 9/11, law enforcement has been allowed to spy on Americans in America without court orders, or any authorization from courts. That's important because it removes the separation between judiciary and executive which is necessary to ensure a functioning democracy.

Google recently sued against having to release user data to government agencies without court order. Basically at will. Others like Microsoft don't even sue, they just bend over.

And just today I read that there is currently an operation underway to record all american calls - not the contents, but who is calling whom, when, with location data. AT&T, Verizon, Sprint, T-Mobile all hand ALL their data over to the FBI / NSA (forgot which). This is going to happen until July.

And the FBI was complaining that Apple's iMessage service is using actual - OMG - end to end encryption and is pressuring Apple to install backdoors.

It's an out of control government ignoring the constitution.

nikster Diamond Member

nikster

Posted
Posted

Case in point: Rumors of a government spying program in collaboration with the biggest us corporations.

The rumor seems to be false, at least as far as google, apple, and facebook are concerned. But read each denial carefully. Only one company does what I *expect* a company to do with my private data: Apple. The other two make wishy washy statements that could mean anything.

Apple said: if you want to get our customers data, you need a court order.

Google and facebook: "we comply with applicable laws and we "scrutinize" each request. Both didnt mention court orders so translation is if any agency asks for stuff, they'll hand it over. No court order required at Google or Facebook!

Microsoft did not even issue a denial... Go figure.

http://www.cultofmac.com/230358/everything-you-need-to-know-about-apple-and-prism/

simple1 Star Member

simple1

Posted
Posted

Case in point: Rumors of a government spying program in collaboration with the biggest us corporations.

The rumor seems to be false, at least as far as google, apple, and facebook are concerned. But read each denial carefully. Only one company does what I *expect* a company to do with my private data: Apple. The other two make wishy washy statements that could mean anything.

Apple said: if you want to get our customers data, you need a court order.

Google and facebook: "we comply with applicable laws and we "scrutinize" each request. Both didnt mention court orders so translation is if any agency asks for stuff, they'll hand it over. No court order required at Google or Facebook!

Microsoft did not even issue a denial... Go figure.

http://www.cultofmac.com/230358/everything-you-need-to-know-about-apple-and-prism/

The rumors are not false, it's a US government funded project called PRISM. Some info at

http://www.guardian.co.uk/world/2013/jun/06/national-security-agency-surveillance

commande Advanced Member

commande

Posted
Posted

Facebook, Google -I don't use either of them anymore. Facebook, there is ZERO privacy even if they say there is, Google, they even admit that they data mine your email and that your messages belong to them and they can do anything they want. They are both in the advertising business. Go review the terms and services agreement for Outlook mail formally known as Hotmail and compare the disclosure statements. While nothing is perfect, considering it's free, I would trust outlook mail before others. Even Yahoo data mines everything, it's a business and that's how they make money. You didn't expect that the email address you have is really free did you smile.png????

As the saying goes, anything on the internet is wide open, don't say or do anything that you might regret in the future or don't want to be known publicly.

Still the best way to do anything is face to face in regards to communications that you don't want shared with anyone. It's not going to get better, it's going to get worse world wide, Technology has it's ugly side to...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.



ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...